Since the first release, Android has required developers to sign their applications. When you update an app, Android will compare the update's signature to the existing version. If they match, the app update will install. This way, developers don't have to worry about modified APKs causing problems, and users are kept secure.

GuardSquare, a security firm based in Belgium, published a report today about a vulnerability it discovered in Android. Nicknamed 'Janus,' it allows attackers to add additional content to an APK without breaking the signature. Normally, Android checks the signature of the APK file, and if it matches the previous signature, the app is compiled into a DEX file for running on the device.

Janus works by combining an unmodified APK file with a modified DEX executable, which doesn't affect the app signature. The Android system would allow the installation, then start running code from the DEX header. Simply put, this would allow attackers to replace any app (ideally one with many permissions already granted, like system apps) with a malicious version.

It's worth noting that the scope of this vulnerability is fairly limited. It only affects applications signed with Android's original JAR-based signing scheme, which was replaced with Signature Scheme v2 in Android 7.0 Nougat. On newer devices, attackers could only take advantage of apps not using the newer signing method (which mostly consists of old third-party apps). Also, this is only a concern for apps downloaded from outside the Play Store.

Comments

So those who only got updated to the Dec 1st patch level are still affected?

givitumibeybi

If you install apks from unknown sources, yes.

EarlyMon

Nope. Fixed with December 1.

d0x360

I'll install whatever I want sir thank you very much!

It's unfortunate that you can't scan a sideloaded.app with play protect. In fact play protect should be an app or system Service that scans an app in real time at 1st load and everytime it accesses files.

Mkvarner

"and everytime it accesses files"

Sounds like a great way to kill battery life.

d0x360

I'm talking sideloaded apps only and I really meant when they download or change files. I should have been more specific but I was in a rush.

Does it matter? Do you go around installing random APKs you find on the Internet?

d0x360

Sometimes

MJ

Than you have bigger problems than this...

d0x360

I actually don't. No phone I've owned since the HTC G1 has ever been infected by anything and I upgrade yearly and generally get a Google designed phone except the Nexus 5, I got an HTC One m8 instead.

I don't literally just download random apks. I do download random ones from XDA.

Really though my reply was sarcastic. That's why it was one word.

JG

Yeah... It's the KRACK patch issue all over again... At least this time, it's Dec 1 to Dec 5 instead of Nov 5 v Nov 6...

EarlyMon

Janus, patched December 1.

d0x360

Which makes no sense since they knew about it in July. They hammer on Microsoft for not fixing something in 90 days... Sometimes google never fixed serious flaws

Did any commercial exploit actually ever become available for the Bluetooth bug though? It definitely wasn't the apocalypse that they wanted us to think it would be.

EverythingTech

None of it affected me. Google handled it all.

bekifft

You're likely not a high value target. Who knows who actually used these and for what purpose.

Jordan

None of these attacks have a particular target. They are in line with typical malware in the last five years: Find a vulnerability in something big, hit as many targets as quickly as possible, steal what you can, maybe update your malware to a new vulnerability once a patch is released.

It is very rare for any malware to be targeted in any meaningful way anymore. Outside of state-sponsored attacks, volume is king.

roberto.elena

Has any of this extra work delayed the development of the APKMirror app?

Can't Google put this in Play Services and/or Play Store for the scanner in the latter? A lot of people aren't going to get that December patch. Unless this doesn't apply to apps on the Play Store.

EverythingTech

Another reason why a Pixel phone is a great choice. I'm rocking the December patch with stable Oreo 8.1.

d0x360

No because like most malware play protect doesn't matter. All they have to do is download the extra data after it's been installed. So if an app asks for permission to access files and you say yes then your phone can be infected.

Google needs to make it so if an app has an update it has to go through the store. I don't see how an app could accidentally be infected with Janus. The dev would have to do it on purpose. So it's another case of don't download shitty looking apps that have a low number of downloads from some random dev.

zelendel

Considering that most of the apps google has pulled recently due to malware have had hundreds of thousands of downloads. Not to mention been on the play store for years.

When will people learn. There will always be a risk. As long as people use programs to fo things there will be people that hack them and there is nothing anyone can do about it. Mobile security is a myth

d0x360

Oh I know some of them have very large numbers of downloads. It's a sad state of affairs but it's what happens when your the number 1 OS in your sector. Tons of profit in infecting Android devices and google doesn't have the experience Microsoft has in trying to secure an OS while still leaving if functional for users.

There are more steps google could and should take. One example is the team of people they have that do nothing but try to break the security of Windows...maybe juuuust maybe they should be trying to break Android instead.

The bug bounty program helps but it's far more profitable to hop on TOR and sell the exploit you found than it is to tell google about it and get a few thousand dollars or less depending on how severe google thinks it is.

You are right mobile will never be secure but what is? The real issue is google needs to make sure patches are delivered to every phone. No more of this bs letting mobile carriers sit on updates and fiddle with them for a year before sending them out...if they ever send them out.

That's why I won't buy a phone that doesn't have a method for root. It's the 1st thing I do and the 2nd after setting it up is install Adguard which does a great job of blocking these nefarious apps from downloading their payloads

bekifft

Security is a myth. There are only degrees.

EarlyMon

"I don't see how an app could accidentally be infected with Janus."

The threat is from apps obtained from outside of the Play Store, exactly as the source said - and why AP responded about the health of the apkmirror.

It took you that long to realize installing unknown sources and 3rd party apk's might be a bad idea?! 😂

Funny Valentine

I don't even install apps from outside the Play Store.

zelendel

Only if you lack common sense. OK so for the average person, you are right.

zelendel

This has been used for years. Mainly by themers that change the apks and still put back the original signature. Mainly when modding system apps.

AndroidUser00110001

7zip was a good way to modify APK without breaking signature too.

zelendel

Yup. Mainly if you don't need to decompile them for simple image changes.

Nikolas Spiridakis

Practically how can I do that?

d0x360

ROFL google attacks Microsoft for not fixing a flaw in 90 days....let's see how many days is it between July and December...

Great job google. The plan must be one of those "OMG look over there!" Kinda deals because google is the WORST at fixing flaws.

I love Android, I have since the slow...slow g1 released which I replaced the second the Nexus one launched. I wish Google was better about this.

For example don't let apps download data outside of the store. That's how most malware gets in. Plus on a phone where you have limited access to files it's a recipe for disaster.

Jordan

Eh. It's not a huge threat. Google already discourages obtaining APKs from anywhere but the Play Store. This requires an attacker to use an APK compiled against API level <24, one with permissions that they want and get someone to download this APK from somewhere other than the Play Store. This is the kind of attack that requires a level of targeting we just don't see anymore and if someone is going to go through all of that, they have plenty of other means to accomplish the same result.

11222

has XDA Labs addressed this issue? I do have a few apps downloaded from them.

iKon

Does APK mirror have showbox on it?

My1

I doubt the same signature would normally work on an old and an updated version, I think what you mean is whether both sigs come from the same signing key in regards to the update check.